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Abstract 

We present an algorithm to invert the Euler function tp{m). The algorithm, for a 
given integer n > 1, in polynomial time "on average" , finds the set \l/(n) of all solutions 
TO to the equation ip{m) — n. In fact, in the worst case the set \['(n) is exponentially 
large and cannot be constructed by a polynomial time algorithm. In the opposite 
direction, we show, under some widely accepted number theoretic conjecture, that the 
Partition Problem, an NP-complete problem, can be reduced, in polynomial time, to 
the problem of deciding whether ip{m) = n has a solution, for polynomially (in the 
input size of the Partition problem) many values of n. In fact, the following problem 
is NP-complete: Given a set of positive integers S, decide whether there is an n G 5 
satisfying ip(m) = n, for some integer to. Finally, we establish close links between the 
problem of inverting the Euler function and the integer factorisation problem. 

1 Introduction 

In this paper we study the complexity of a new number theoretic problem, namely the 
complexity of inverting the Euler function (p{m), which, as usual, for an integer m > 1, is 
defined by 

ip{m) = #{Z/mZr = n P'^'^iP - 

II m 

It is widely believed that computing the Euler function is equivalent to the integer 
factorisation problem. Moreover, let V2 denote the set of positive integers n which are 
products of two distinct primes p and q (with the additional condition p = q = 3 (mod 4) 
such numbers are often called Blum integers). Then for n € finding ip{n) is indeed 
equivalent to factoring n. Here we concentrate on the dual question of inverting the Euler 
function, which apparently has not yet been addressed in the literature. More precisely, 
given an integer n > 1, we want to find the set ^(n) of all integer solutions m > 1 to the 
equation (^(m) = n. 
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Here we design an algorithm which solves this problem in exponential time in logn 
in the worst case, and in polynomial time for "almost all" n (provided the prime number 
factorisation of n is given). Because for infinitely many n the cardinality of ^'(n) is 
exponentially large, any algorithm for inverting if must run in time exponential in logn 
in the worst case (or nearly exponential). Indeed, from the proof of Theorem 4.6 of |E] 
we see that for infinitely many n, 

#^'(n) > n^+°(i) 

where 7 > is any constant such that for any sufficiently large X there are at least X^^"^^^ 
primes p < X such that all prime divisors of p — 1 are less than X^~^ (see also 13 ). By 
Theorem 1 of fH^ one can take 7 = 0.7039. 

A natural question is whether the decision problem for inverting (p is any easier. We 
recall that n is called a totient, if there exists an integer m satisfying ip{m) = n. Given 
an integer n, and its prime factorization, how efficiently can we determine whether n is a 
totient? Because the output of any algorithm solving this problem need only be a single 
bit, we cannot so easily say that the running time must be exponential in logn, as we 
did in the case of determining all the solutions m. We prove in Section^ the somewhat 
surprising result that, assuming a certain strong form of the famous Hardy-Littlewood 
prime A;-tuplet conjecture (in the case k = 2), there is a polynomial time reduction from 
the Parition Problem, an NP-complete problem, to the question of whether (p{m) = n 
has a solution for a certain small set of integers n. In particular this shows that the 
following problem is NP-complete (assuming the Hardy-Littlewood conjecture): Given a 
set of integers 5, determine whether it contains a totient. Although at the present time 
the Hardy-Littlewood conjecture is out of reach, there are a number of results in this 
direction which leave little doubt that the conjecture is correct, for example, see jlj. 

Furthermore, in Section [S] we obtain an unconditional reduction from the problem of 
factoring integers n € to that of inverting the Euler function. As we have remarked, 
any polynomial time algorithm to compute the Euler function leads to a factorization 
algorithm for integers of the form n = pq where p and q are primes. Here we prove a 
somewhat dual statement by showing that any polynomial time algorithm to invert the 
Euler function (in the sense that the running time is (#^'(n) + T(n) + logn)'^^"^^ ), where 
the factorization of n is not given, leads to a probabilistic polynomial time factorisation 
algorithm for n E 7^2- This result is certainly weaker than that of Section |1] but is not 
based on any unproven assumptions. 

The growth, distribution in arithmetic progressions and in other special sets of elements 
of the values of the Euler function, and many other similar questions, have extensively 
been studied in the literature, see [51 IHl El ^1 ^1 ^1 and references therein. 
Nevertheless the considered here questions seem to be new and have never been studied. 
We also remark that analogues of our results can be obtained for the sum of divisors 
function a{m) and for several more similar number theoretic functions. 

2 Notation 

We use uj{m) and T(m) to denote the total number of distinct prime and positive integer 
divisors of a positive integer m, respectively (we also define ti;(l) = 0, r(l) = 1). 

We also use the Vinogradov symbols <C as well as the Landau symbols O and o 
with their regular meanings (we recall that U <^V and U = 0{V) are both equivalent to 
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the inequality \U\ < cV with some constant c > and U is equivalent U <^V <^ U). 
The implied constants in the symbols O, <C and x are always absolute unless indicated 
otherwise. 

3 Constructing ^(n) 

Our algorithm to find ^{n) makes use of the prime power factorization of n. If we were 
to modify our algorithm to find ^[n) where the factorisation of n is not given, but is first 
found by using a probabilistic factoring algorithm (see 0), then for most integers n, fac- 
toring would dominate the overall complexity of the algorithm. In the worst case, however, 
where ^ (n) is "large" , the running time of the rest of the algorithm would dominate this 
factoring step. For our algorithm, we simply assume that the prime number factorisation 
of n is given, which has the additional advantage of making our algorithm deterministic 
(while making factoring n a part of the algorithm would make it probabilistic). 

Theorem 1. There exists a deterministic algorithm which given the prime number fac- 
torisation 

of an integer n >2, constructs ^(n) in time 

T{n) < (#^*(n) + r(n) + logn)^^^) , 

where 

^*{n) = J^(d). 

d\n 

Proof. Basically, we give an algorithm which efficiently finds all representations of n of 
the following type: 

k 

i=i 

where £i < ■■■ < £k are primes, and where 71,..., 7^ > are integers. Each such 
representation corresponds to a solution Lp{m) = n, where 

Our algorithm is iterative and builds a graph, where all the vertices on the jth level 
correspond to a certain list £j, and where each solution m to ip{m) = n corresponds to 
some path from a vertex back to the top list £"1, although not all such paths correspond 
to such a solution. The vertices in each of these lists are assigned a certain value, which 
is an ordered pair of the form {ij,'yj), where ij is prime, and where 7j > is an integer. 

Given an integer n, we let P(n) denote the set of divisors of n. If we are given the 
prime power factorisation of n, then we can easily construct the set "Din) in time T{n)^^^\ 

We now describe £1: We let £1 be a set of vertices, one for each ordered pair (^1,71), 
where £1 is a prime, and 71 > 0, such that the number e = £j^{£i — 1) lies in T>{ri)\ that 
is, e|n. We also remark that for every e there are at most two possible pairs (£1,71). The 
vertices in this list are not be linked to each other, but are each doubly linked to entries 
of the yet to be mentioned list £2- 
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The list £2 is created as follows: We scan through 81, and for each vertex v in £^1, 
having the value (£1,71), we consider the integer riQ = n/fi{li — 1). Then, among the 
integers do G T^in^) (divisors of no), we locate all those corresponding to vertices v & £1 
having value (^,7), with i > £1; that is, do = P{i — 1). In this way, we run through all 
the divisors ci of ra of the form 

d = (£1 - l)f'{£ - 1), e^Ki are prime. 

The list £2 then consists of one vertex for each of these different ordered pairs {£, 7) , for 
each of the vertices v G £1; and, this vertex is doubly linked to its ancestor v ^ £1. 

We note that each vertex in £2 has a unique ancestor; and, different vertices in £2 may 
have the same value (^2,72)- 

In general, suppose we have constructed the list £j. Then, the list f'j+i is constructed 
as follows: By running through the vertices v £ £j, and then considering the unique path 
from V back to its ancestors in £j-i, £j-2, ■■■,£!, we get that these vertices (along with v) 
correspond to a sequence of ordered pairs (£j, 7^), . . . ., (^1,71), which represents a divisor 
d of n of the form 

j 

d = JJ £f{£i - 1), £1 <£2 < ■■■ < £j are prime. 

i=l 

We let no = n/d, and then we scan through the set P(no), looking for elements of the 
form £'^{£ — 1), where £ > £j is a prime number. We then add a vertex to £j+i, assign it 
the value (£,7), and doubly link it to the vertex v G £j. After we have done this for all 
these ordered pairs (^,7) generated by considering all v E £j, the construction of £j+i is 
completed. 

We continue constructing these lists, until we reach a list £t having no children. Since 
n has O(logn) prime power factors, and since each new level in the graph corresponds to 
a string of divisors di, . . . ,dt where di ■ ■ ■ dt\n, wc conclude that t = O(logn). 

It is obvious that each path from a vertex back to £1 along its unique ancestors in the 
graph corresponds either to a proper divisor 

h 

d = Yl £]' {£j-l), £i<£2<-- - < ih arc prime 
j=i 

of n such that there is no pair (^,7), £ > £h prime, 7 > 0, with £'^{£ — l)d\n; or, we have 
that d = n. Now, ii d = n, then d corresponds to the solution 

of ip{m,) = n. Thus, by considering the paths from vertices corresponding to n back to £1 
corresponding to d = n, we obtain the set ^(n). 

Finally, it is obvious that the running time of the algorithm is proportional to 

{L + T{n) + lognf^^\ 

where L is the number of paths throughout the above graph which is #^'*(n). □ 
To address the average performance of the algorithm, we require the following bound: 
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Theorem 2. The bound following bound holds: 



#^*(n) < xlogx. 



n<x 



Proof. We have that 



E 



#vl/(d) 



(1) 



d 



n<x n<x d\n 



d<x 



Now, 



d<x 

see [Z]. So, by partial summation, we conclude that 



=#{n> 1 : ip{n)<x} = 



C(2)C(3) 
C(6) 



+ o(l) x 




which, together with ^ finishes the proof. 



□ 



An almost immediate corollary of Theorem |2l together with the well known bound 



see Theorem 2 in Section 1.3.2 of jJSl) and Theorem Q is the following: 

Corollary 3. For every A > 0, there exists B > 0, so that for all but at most 0(x/ log"^ x) 
integers n < x we have that the algorithm in Theorem^finds ^(n) in time log^ n. 

4 NP-completeness of Totient Testing 

A natural question is whether it is any easier to decide if, given n, there exists an integer 
m satisfying ip{m) = n. In this section we prove that the problem of deciding whether 
a set of integers S contains a totient, is NP-complete, if we assume the following strong 
form of the Hardy -Littlewood prime fe-tuplet conjecture, see |3] for several results in this 
direction. 

Conjecture 4. There exists an integer A> Q such that the following holds: Suppose that 
[Mix + ai){M2X + a2) has no fixed prime divisors as x runs through the integers, and that 
Ml, M2 > 0, and Q < m < Mi for i = I and 2. Then, there exists an x < log^(MiM2 + 1) 
such that both Mix + ai and M2X + 02 are prime. 

We first note that the decision problem is in NP, since if we let C be the language 
consisting of all finite subsets of the natural numbers which contain a totient, then we 
have: For each S £ C, suppose n G 5 is a totient. Then, there exists a string s, of 
length log*^*-^^ n, which we can use to verify that 5 € £ in polynomial time, namely if s 
is the prime power factorization of any solution m to ip{m) = n (and, given the prime 
power factorization of m, it is easy to compute ip(m)). Since we can check whether a 
number is prime in polynomial time, and therefore check that s is a legitimate prime 
power factorization in time log*^*-^^ m, we conclude that C is in NP. 

The problem which we reduce to our decision problem is the following variant of the 
subset sum problem, which is known to be NP-complete. 




(2) 



n<x 
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Partition Problem: Given 2k > 2 nonnegative integers xi, . . . ,X2fc, where 
5 = xi + • • • + X2k is even, decide whether there exist 1 < ii < . . . < with 

^il + ■ ■ ■ + Xif. = S/2. 

Assuming Conjecture|lJ we show there is a polynomial time reduction of the Partition 
problem to the problem of deciding whether there exist integers m satisfying ip(m) = n, 
for a certain small set of values of n. 

To prove this theorem, we require the following result which could be of independent 
interest. 

Theorem 5. Given an odd number k > 1 and given 2k integers xi, . . . ,X2k, we can 
construct in polynomial time a series of congruence classes ai (mod M), {ai,M) = 1, 
such that if Ni, . . . , N2k are any numbers satisfying Ni = ai (mod M), and . . . , i^} C 
{1, . . . , 2k}, with i < k, then 

gcd{2Ni^---Ni^ + l, M) = 1 ^ £ = k andxi^ + --- + Xi^ = S/2; (3) 

Ni-1 \ 4Ni---N2k, i = l,...,2k; (4) 

gcd(2iVi • • • iVsfc + 1, M) > 1, and gcd(4A^i • • • iVafc + 1, M) > 1. (5) 

Proof. First, we let Ri, . . . , Rk-i be the first consecutive primes greater than k. Next, 
given 



2k 

l-^i I ) 
i=l 

we let Ui, . . . , Ut be the first consecutive primes greater than Rk-i such that 



llUi > 2A. 



i=l 

Finally, we let v = Ut, and then let Vi,...,Vv be consecutive primes greater than Ut- 
Then, we let 

h=l i=l 3=1 ^ ' 

We claim that this integer M satisfies logM = (j4A;)'^(^\ which can be proved by repeated 
use of the Prime Number Theorem; also, we claim that each of these factors are coprime 
to the others, which can be proved by repeated use of the fact that (2^ -1,2^-1) = 

We let ai, . . . , a2k all be in the same class modulo 8 • 3 • 5, defined via the Chinese 
remainder theorem as follows: 

Qi = 1 (mod 8); Oj = 2 (mod 3); Oj = 4 (mod 5); 

and, for j = 1, . . . , /c — 1, we let 

ai = 23^ (mod (2^^ + l)/3), (6) 
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where for gj is any solution to 1 + jgj = Rj (mod 2Rj) (for j odd there is a unique gj] 
and for j even, there are two values gj that satisfy this). 

The congruence condition modulo 8 ensures that (0]) holds; the congruence modulo 
3 forces the first part of © to hold; and the condition modulo 5 forces the second part 
of © to hold. Finally, the condition © ensures that gcd(2A'j^ • • • N^^ + 1, M) = 1 implies 
i = k, which is part of ©• 

Now, for i = 1,2, . . . ,t, we let 

{9{i, 1), . . . , e{i, Ui - 1)} = {0, . . . , C/i - 1} \ {S/2 (mod Ui)}; 

that is, for every i = 1,2, ... ,i, the values of 0{i,j) run through the congruence classes 
modulo Ui, omitting the class S/2 (mod Ui). Next, let 

6ij = (mod UiVj), < < UVj - 1. 

Then, iov i = 1,2, ... ,t, j = 1,2, ... ,Ui — 1, and 1 = 1,..., 2k, we let 



{2U^ - 1){2^J - !)■ 



Then, if {xm, ■ ■ ■ ^Xn,,} is any A;-element subset of k of {xi, . . . ,X2k} such that Xm + 
• • • + Xrn. 7^ S/2, we must have that for some i = 1,2, . . . ,t and j = 1, 2, .., Ui — 1, 

x„i H h Xuk = 0{i,j) (mod U); 

and so, on letting T = (2'^»^J - l)/{2'^' - 1){2^^ - 1), we see that if Ni = ai (mod M), 
then 

2Nni ■ ■ ■ Nn^ + 1 = (_l)*=2-^+^J*^^"i+'"+'^"fc~'^'^*^*'''^^*^*'-'^)^'^^*^*'-'') + 1 

= _2t^»^.^ + 1 = (mod T), 

where / is some integer. Conversely, if Xh^ + • • • + x/j^. = S/2, then one can show that 
{2Nh^ ■ ■ ■ Nhf^ + 1,M) = 1. Thus, we have estabhshed ©, and the result follows. □ 

Now are now ready to prove our main result. 

Theorem 6. Suppose that xi, . . . ,X2k is an input of the PARTITION problem. Let 

2k 



B = J2^og{xi + 2) 



i=l 

Then, in polynomial time, we construct a set of s = B'^^^^ integers ni,... ,n<j such that 
the answer to the corresponding PARTITION problem is "Yes" if and only if for some 
i = 1,2, . . . , s we have that (p{m) = Ui has a solution. 

Proof. Suppose xi, . . . ,X2k are given. We may assume that k is odd, since if k is even, 
then we can enlarge our set {xi, . . . , X2k} by two new elements X2k+i = X2k+2 = 0. 

Now, suppose that pi, . . . ,P2k are a set of primes satisfying pi = Oi (mod M), pi > M. 
Then, as a consequence of ©, Q, and © of Theorem El one can see that if there is a 
solution m to 

ip{m) = Api ■■■p2k, 



7 



then m = P1P2 or 2P1P2, where Pi and P2 are both primes satisfying 
Pi = 2pi^ ■■■pi^ + 1, and P2 = 2pj^ ■■■pj^ + l, 
where {pi^,. . . U {pj^,. . . ,pj^} = {pi, ■ ■ ■ ,P2k}- Moreover, we have 

+ ■ ■ ■ + = S/2 = Xj-^ + • • • + Xj^ . (7) 

Now suppose that there are two subsets of {xi, . . . ,X2k} satisfying ((7)). Let £ be one 
of the numbers 2, 3, . . . , fc + 2, and suppose we are lucky and have 1 G {zi, . . . , ik} and i G 
{ji ; • • • ) jk } 5 or have 1 € { ji , ■ ■ ■ ,jk} and £ G {ii, . . . ,ik}; certainly, for one of these values 
£ = 2,3, . . . , k + 2 this must hold. We suppose that 1 G {ii, . . . , ik} and £ G {ji, . . . ,jk}- 
Let {ti, . . . , t2k~2} = {1; 2, . . . , 2k} \ {1, ^}. Then, assuming conjecture^ (speicializing to 
the case of one linear form, instead of two), we can pick values ti, . . . , t2fc-2 < B^^^^ such 
that the numbers + Mti are all prime; moreover, we can pick these numbers in time 
^0(1)^ by first picking ti, then t2, and so on. 

Now, we consider the polynomials 

F{x) = 2{ai + Mx) Yl (a„ + Mt„) + 1, 

and 

G{y) = 2{ae + My) (a, + Mt„) + L 

"G{ji,...,jfc} 

By F{x) and G(y) are coprime to M for all integers x,y, and so have no fixed prime 
divisors; moreover, (oi + Mx)F{x) and {ai + My)G{y) have no fixed prime divisors. So, 
assuming Conjecture |11 if we run through the values x,y < B'-^^^^ that make ai + Mx 
and a£ + My both prime, then among these values x and y, there must be a choice which 
makes ai + Mx, + My, F{x), and G(i/) all prime. So, we have a set of primes pi, . . . , p2k 
of the form 

Pi = ai + Mx, pi = at + My, 

and 

Pi= Oi + Mtj, i = 2,..., £-!,£ + !, ...,2k. 

These primes satisfy the congruence conditions pi = (mod M). Furthermore, we also 
have that 2pi-^ ■ ■ - pi^ + 1 = F{x) is prime, as is 2pj-^ ■ ■ -pj^ + 1 = G{y). So, if we let 
n{x,y) = ^Pi---P2ki then we get a solution (p{F{x)G{y)) = n{x,y). So, by running 
through choices for x,y < B'^^^\ and £ = 2,3, . . . ,k + 2, we are guaranteed to hit upon a 
value n(x, y) having a solution (/;(m) = n(x, y), as long as there is a subset of {xi, . . . , X2k} 
summing to S/2. 

Conversely, if there is no subset of {xi, . . . , X2k} summing to S/2, then either F{x) or 
G{y) is an odd composite number, and so they fail to satisfy ip{F{x)G{y)) = n{x,y) for 
all values x,y. 

Thus, the Partition problem can be reduced, in polynomial time, to the problem of 
deciding whether 99(771) = n for a set of B^^^^ values n, which finishes the proof. □ 
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5 Inverting the Euler Function and Integer Factorisation 



The algorithm of Theorem ^ assumes that the prime number factorisation of n is given. 
Here we show the factorisation problem for integers from V2 can be reduced in in proba- 
bilistic polynomial time to the problem of inverting the Euler function. 

Theorem 7. Given an algorithm that finds ^{m) in time (7^^'*(m) + r(m) + logm)*^'-"'^-*, 
without being given the prime factorisation of n, one can factor integers n £V2 in proba- 
bilistic polynomial time. 

Proof. Let 7r(X;r,a) denote the number of primes i < X with I = a (mod r). We need 
the following result which is a greatly relaxed version of Theorem 2.1 of Namely, if r 
is a sufficiently large prime number then for X >r^ 

for any integer a with gcd(a, 4r) = 1. 

Now, assume we are given sufficiently large odd n = pq ^ V2. We choose two positive 
integers ki,k2 < and consider the product 4(2/ci + 1)(2A;2 + l)n. 

It is clear that if 4{2ki + 1)(2A;2 + = ip{m) then uj{m) < 3. More precisely, it is 
possible only for the values of m of the form 

1. m = i or m = 2i or m = 4i where i is prime; 

2. m = ^1^2 or m = 2lii2 where ^1,^2 are prime; 

In each case of the first group i is uniquely defined (and clearly there are at most two 
suitable values of i) . 

Both cases of the second type occur simultaneously with the same values of £1, £2 which 
(up to a permutation) are either of the form 

h = 2di + 1, l2 = 2d2pq + 1, 

or of the form 

ii = 2dip+l, ^2 = 2^29+1, 

where di and d2 are divisors of {2ki + 1)(2A;2 + 1) with did2 = {2ki + 1)(2A;2 + 1). Therefore, 
there are at most 

2r((2A:i + 1)(2A:2 + 1)) < 2t(2A:i + l)r(2A;2 + 1) 

possible solutions of the second kind. We see from ((2)) then the total number of positive 
integers k < X with r(/c) > log'^X is 0{X log^^ X). Thus from © (applied with r = p 
and a = 2r + 1) we derive that there are at least 



An^p 



+ 0(n^log~^n) > 



n 
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Ap log 2 log 

positive integers ki < for which simultaneously 2(2A;i + l)|?+l is prime and r(2A;i + l) < 
log^ n. Similarly, we have at least the same number of positive integers /c2 < for which 
simultaneously 2(A;2 + l)q + 1 is prime and t(2/c2 + 1) < log^ n. 
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For each such pair of integers ki, k2 we see that the cardinahty of ^'(4(2/ci + l)(2A;2 + l)n) 
is polynomially bounded, namely, #\E'(4(2/ci + l)(2/c2 + 1)?^) = O(log^n), and contains a 
solution of the form 

m=(2(2A;i + l)p + l)(2(2A:2 + 1)^ + 1) (9) 

from which, together with the equation n = pq, the primes p and q can be trivially found 
(we certainly have to try all values of m £ ^'(4(2A;i + l)(2/c2 + 1)?^) in order to find the 
one of the form Q)- 

These considerations naturally lead to the following probabilistic algorithm which finds 
the above pair of ki, /c2 and thus the primes p and q. 

Assume that the inverting algorithm outputs "if{N) in time bounded by {^"if{N) log N)^ 
for some constant A > 0. We choose integers ki,k2 uniformly at random in the interval 
[l,n^] and use the algorithm to compute \I'(4(2/ci + 1)(2A:2 + l)"-)- If the time it takes 
exceeds log^"^ this means that ^^{4(2ki + l)(2/c2 + 1)?^) > log"^ and we simply ter- 
minate the algorithm and choose another pair /ci , /c2 • It is clear that in the expected time 
0(log^ n) we find the desired pair of fei, A;2. □ 
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